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Abstract 

We present a digital signature scheme which is based on the existence of any trapdoor 
permutation. Our scheme is secure in the strongest possible natural sense: namely, it is secure 
against existential forgery under adaptive chosen message attack. 
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1 Introduction 

1.1 The DifRe-Hellman Model of Digital Signatures 

Fifteen years ago, Diffie and Hellman [DH] put forward a beautiful model for digitally signing. 
Their model is based on — and in some sense coincided with — their newly introduced notion of 
a trapdoor permutation, an extension of the notion of a one-way permutation. 

Roughly, a permutation / is said to be one-way if it is computationally easy to evaluate, but 
computationally hard to invert. A one-way permutation / is trapdoor if it has an associated secret 
string, Sf, given which / becomes easy to invert. 

Diffie and Hellman proposed using trapdoor permutations to achieve digital signatures as fol- 
lows. Each user A selects a trapdoor permutation /a "together with" its associated secret Sf^. 
User A then publishes /a and keeps secret Sf^. Thus A is the only one who can efficiently invert 
/a- To digitally sign a message (number) m, A computes the string a = f~^(m). Given m and 
(7, any one can efficiently verify that a is A's digital signature of message m by "looking up" A's 
published permutation /^, computing fAicr), and verifying that the result is indeed m. 

At the time of their proposal, no one knew how to go about proving that trapdoor permutations 
exist (such a proof automatically entails that P ^ NP, something still out of reach), nor how to 
suggest concrete reasonable "candidate" trapdoor permutations. Soon afterwards, Rivest, Shamir, 
and Adleman [RSA] proposed an algebraic candidate, the RSA function, for which no efficiently 
inverting algorithm has yet been found (and may not exist). 

1.2 Critique of the Model 

Although quite elegant, the DifRe-Hellman model has some inherent limitations, brought to light 
by Goldwasser, Micali, and Yao [GMY]. For instance, they point out that it is impossible that a 
trapdoor permutation be hard to invert on all of its range. (For example the RSA function has the 
form x'^ mod n, thus its inverse at f is f .) At best one can prove that, with high probability, every 
efficient inverting algorithm fails to invert a trapdoor permutation at a point randomly selected in 
its range, but a small subset of the range will always exists for which inverting the permutation is 
easy. Security vanishes if the message set is contained in (or overlaps significantly with) the "easy" 
subset of the trapdoor permutation's range. Thus, even if we have proved that a given permutation 
is trapdoor, will we ever be able to prove that ASCII English avoids its range's easy subset? 

Also, nowhere in the definition is it said that a trapdoor permutation / cannot enjoy additional 
properties. For instance, / may be "multiplicative" (like the RSA) in the sense that, given the 
value of f~^ at points x and y, computing f~^(xy) is easy. Mutatis mutandis, this means that, 
given "legitimately" obtained signatures of strings x and y, one may easily forge the signature of 
string xy. One may object that in the case of English messages, it is unlikely that the product 
of two messages is a proper English sentence. However, besides the fact that this may be hard to 
prove, in many applications we may need to be able to sign arbitrary numbers. What, then, would 
happen to the "security" of the scheme? 

Finally, one could always generate legitimate signatures by choosing a strings a and computing 
m = f(a). 

In essence, [GMY] pointed out that the notion of security for digital signature schemes was far 
from being understood, and that the existence of trapdoor permutations (without adding extra 
assumptions — such as that multiplicativity does not hold, nor additivity, nor...) may not be 
sufficient to guarantee the existence of "secure" digital signature schemes. 



1.3 The Notion of Security 

What then is a satisfactory definition of security for digital signatures schemes? Since the above 
critique is not confined to any specific implementation but is rather about the Diffie and Hellman 
model itself, implicit in this question is the question of what the model should be. 

A quite general definition of security for signature schemes was given by [GMY], as well as the 
first example of a scheme outside the Diffie and Hellman model. The "right" definition was found 
a year later by Goldwasser, Micali, and Rivest [GMR]. 

Informally, the [GMR] definition says that even an adversary who is granted a special experi- 
mentation session with the signer, in which the adversary asks and receives signatures of messages 
of his choice, cannot later efficiently forge the signature of any new message. This definition is for- 
mally presented in Section 3. For further motivation, and more history of these ideas, we address 
the reader to their original paper. 

1.4 The Computational Assumptions Needed to Implement It 

Having established the desired notion of security, it became very important to establish the com- 
putational assumptions necessary to implement it. 

The existence of secure digital signatures was first proved assuming the computational difficulty 
of some outstanding mathematical problems; integer factorization in the case of [GMR] (actually 
[GMR] based their signature scheme on a general primitive which they called claw-free pairs and 
then showed how these could be implemented based on factoring). 

Proving the security of a scheme implementing a basic primitive based on a purely mathematical 
assumption is not easy. Ever since the work of [GM] on public-key encryption, such proofs of 
security have had the form of a reduction. Namely, it is shown that if any algorithm exists for 
efficiently defeating the cryptographic scheme in question, then a (different) algorithm would exist 
for efficiently solving the underlying, mathematical problem. The difficulty of these proofs arises 
from the fact that they "reduce apples to oranges." For instance, an algorithm for attacking a 
digital signature scheme does not look related at all with any factoring algorithm: it has different 
goals, different inputs, etcetera. 

This difficulty explains why the fundamental cryptographic primitives were first implemented 
based on the computational difficulty of some specific mathematical problem; that is, one possessing 
some additional property besides — say — trapdoorness. This may simplify the work of the scheme 
designer. 

An attacker, of course, is always allowed to use any extra structure that might be present, 
although not explicitly assumed. H extra structure is explicitly assumed, it is at least available to 
the scheme designer as well. 

Indeed, factoring (properly modified ) yields a specific trapdoor permutation [W],[BBS], with 
some rich algebraic properties. 

However, once we must resort to making assumptions, we better make the "smallest" ones. 
Trapdoor permutations may exist, but trapdoor permutations enjoying specific algebraic properties 
may not. In order to establish the existence of the basic cryptographic primitives, it is preferable 
(disregarding efficiency considerations) to assume an "abstract" trapdoor permutation, rather than 
on one possessing additional properties. Better yet is finding the minimal computational assumption 
needed. That is, finding conditions that are both necessary and sufficient to securely implementing 
our primitives. 



1.5 Our Result 

In this paper, we show that abstract trapdoor permutations are sufficient for digital signature 
schemes. Thus we show that the same complexity assumption hypothesized by Diffie and Hellman 
can be used (though by a totally different way) to achieve "perfect" security. 

Let us say that we would have not devised our scheme without the work of [GMR] (from which 
we borrow definitions, notations, and several ideas) and the older work of Lamport [La]. 

1.6 Recent Improvements 

Our basic digital signature scheme, together with other beautiful ideas of Merkle [M], have been 
successfully used by Naor and Yung [NY] and Rompel [R]. Naor and Yung show that even one-way 
permutations are sufficient for secure digital signatures. Rompel shows that one-way functions 
are actually sufficient for secure digital signatures. Since an easy argument of ours, reported in 
[R], shows that this condition is also necessary, the existence of a one-way function is the minimal 
complexity assumption for the existence of secure digital signatures schemes. 

Since the works of [NY] and [R] heavily rely on ours, the present paper is also a quite effective 
introduction to their more complex schemes. 

2 Notation and Conventions 

2.1 Strings and Sequences 

The empty string is denoted A. 

The length of a binary string s is denoted by |s| while its i-th bit is denoted (s)i. We use (s)i...j' 
to denote the string consisting of the first i bits of s; this is A if i = 0. 

If a = (ai, . . . , tti) and b = (5i, . . . , bj) are sequences then a*5 denotes the sequence (ai, . . . , a^, 5i, . . . , 5j 
If a = (ai, . . . , ai) is a sequence and j < i then (ai, . . . , Uj) is called an initial segment of a. 

2.2 Notation for Probabilistic Algorithms 

We use [GMR]'s notation and conventions for probabilistic algorithms. 

We emphasize the number of inputs received by an algorithm as follows. If algorithm A receives 
only one input we write "A(-)"; if it receives two we write "A(-, •)", and so on. If A is a probabilistic 
algorithm then, for any input i the notation A(i) refers to the probability space which to the string 
a assigns the probability that A, on input i, outputs a (in the special case that A takes no inputs, 
A refers to the algorithm itself whereas the notation A() refers to the probability space obtained 
by running A on no inputs). 

If 5 is a probability space we denote its support (the set of elements of positive probability) by 

[S]. 

If /(•) and g(-, ■ ■ •) are probabilistic algorithms then f{g{-, ■ ■ •)) is the probabilistic algorithm 
obtained by composing / and g (i.e. running / on ^'s output). For any inputs x,y, . . . the associated 
probability space is denoted f(g(x, y, ■ ■ •)). 

If 5 is a probability space then x <— S denotes the algorithm which assigns to x an element 
randomly selected according to S (that is, x is assigned the value e with probability P5 [e]). In the 
case that [S] consists of only one element e we may write x <— e. 

For probability spaces S,T, . . ., the notation 

P[p{x,y,---) : X ^ S;y ^T;---] 



denotes the probability that the predicate p(x,y, • • •) is true after the (ordered) execution of the 
algorithms x <— S , y <— T , etc. 

If 5 is a finite set we will identify it with the probability space which assigns to each element 
of S the (uniform) probability t^. Thus x ^ S denotes the operation of selecting an element of S 
uniformly at random (again in the case that the set is of only one element e we may write x <— e 
rather than x <— {e}). 

We let PPT denote the set of probabilistic polynomial time algorithms. We assume that a 
natural encoding of these algorithms as binary strings is used. 

3 Signature Schemes and their Security 

In a digital signature scheme, each user A publishes a "public key" while keeping secret a "secret 
key". User A's signature for a message m is a value depending on m and his public and secret keys 
such that anyone can verify the validity of A's signature using A's public key. However, it is hard 
to forge A's signatures without knowledge of his secret key. 

Below we give a more precise outline of the constituents of a signature scheme and of the notion 
of security against adaptive chosen message attack [GMR]. 

3.1 Components of a Signature Scheme 

A digital signature scheme has the following components: 

• A security parameter k. This is chosen by the user when he creates his public and secret keys, 
and determines overall security, the length and number of messages, and the running time of 
the signing algorithm. 

• A message space. This is the set of messages to which the signature algorithm may be applied. 
We assume all messages are binary strings, and to facilitate our exposition and proofs we assume 
that the message space is ^Ak = {0, 1} , the set of all A;-bit strings, when the security parameter 
is k. 

• A key generation algorithm ICQ. This is a probabilistic polynomial time algorithm which can be 
run by any user to produce, on input 1 , a pair (PA', SK) of matching public and secret keys. 

• A signing algorithm S. This is a probabilistic polynomial time algorithm which given a message 
m and a pair (PK, SK) of matching public and secret keys outputs a signature of m with respect 
to PK. S might also have as input the signatures of all previous messages it has signed relative 
to PK. 

• A verification algorithm V. This is a polynomial time algorithm which given S , m, and PK 
outputs true if 5 is a valid signature for the message m with respect to the public key PK, and 
false otherwise. 

Note that the key generation algorithm must be randomized to prevent a forger from re-running 
it to obtain a signer's secret key. The signing algorithm need not be randomized, but ours is; a 
message may have many different signatures depending on the random choices of the signer. 

3.2 Security of a Signature Scheme 

Of the various kinds of attacks that can be mounted against a signature scheme by a forger, the 
most general is an adaptive chosen method attack. 

In an adaptive chosen message attack a forger uses the signer A to obtain signatures of messages 
of his choice. He is allowed to choose these messages not only as a function of A's public key but 



as a function of the signatures returned by A in response to the forger's previous requests. That 
is, the forger begins by picking some message nii as a function of A's public key PK and obtaining 
from A a signature 5*1 of it. As a function of PK, nii and 5*1 he now chooses 1112 and gets a signature 
5*2 of it. This goes on for a polynomial (in the security parameter) number of messages. 

From the knowledge so gathered the forger attempts forgery. 

The most general kind of forgery is the successful signing, relative to A's public key, of any 
message m. This is called an existential forgery. (Note that forgery of course only denotes the 
creation of a new signature; it is no forgery to obtain a valid signature from A and then claim 
to have "forged" it). The security we require of our scheme is that existential forgery under an 
adaptive chosen message attack be infeasible with very high probability. 

More precisely, a forger is a probabilistic polynomial time algorithm T which on input a public key 
PK with security parameter k 

(1) engages in a conversation with the legal signer S, requesting and receiving signatures with 
respect to PA' for messages of his choice (the adaptive chosen message attack), 

(2) then outputs a pair (m, S) (an attempt at existential forgery). 

We say T is successful if 

(1) 5 is a signature of m with respect to PK (i.e. V(S, m, PK) = true), and 

(2) a signature of m was not requested of S in the adaptive chosen message attack. 

Definition 3.1 Let Q be a polynomial. We say that a signature scheme is Q-forgeable if there 
exists a forger JT who, for infinitely many k, succeeds with probability more than Qj-pr on input a 
public key with security parameter k. (The probability here is over the choice of the public key 
(which is chosen according to the distribution generated by ICQ) and over the coin tosses of T and 
S.) 

Definition 3.2 A signature scheme is secure if for all polynomials Q it is the case that the scheme 
is not Q-forgeable. 

4 Trapdoor Permutations 

Informally, a family of of trapdoor permutations is a family of permutations such that 

• it is easy, given an integer k, to randomly select a permutation / which has security parameter 
k, together with some "trapdoor" information associated with / 

• / is easy to compute, and, given the trapdoor information, so is /~^; but without the trapdoor 
information, / is "hard" to invert. 

But what exactly does it mean for / to be hard to invert? No finite function is hard to invert, so 
the formahzation must be in terms of families of functions. Moreover no function is hard to invert 
at all points in its range, since one could always have an algorithm which when asked to invert / 
at y, evaluates / at a few fixed points and checks whether any of these evaluations yields y. We 
ask rather that / be hard to invert at a random input. 

4.1 A Simple Definition 

Definition 4.1 A triplet (G,E,I) of probabilistic polynomial time algorithms (the generating, 
evaluating and inverting algorithms respectively) is a trapdoor permutation generator if on input 
1^ the algorithm G outputs a pair of k bit strings (x,y) such that 



(1) The algorithms E(x, •) and I(y, •) define permutations of {0, 1} which are inverses of each 
other: /(y, E(x^z)) = z and E(x^I(y^ zj) = z for all z G {0, 1} . 

(2) For all probabilistic polynomial time (adversary) algorithms A(-, •, •), for all c and sufficiently 
large k, 

z : {x,y) ^ G{\%z ^ {^,\]^;u ^ A{\^ ,x,z)\ < k'^. 



P \^E{x,u) 



In informal discussions we will omit explicit mention of the generator and talk of/ being a "trapdoor 
permutation". It is to be understood that /(•) = E(x^ •) for some (x^y) G [G'(l'^)] where (G^E^I) 
is the underlying trapdoor permutation generator. 

Although simpler, our definition is potentially less general than that of [GMR]. The difference lies 
in the nature of the domain on which a trapdoor permutation is defined. We ask that the domain 
be {0, 1}*^ when the security parameter is A;, while [GMR] only require that it be a set which can 
be sampled; their generator produces with each permutation an algorithm which can produce a 
random point of the domain. We utilize this difference in our scheme. 

However our definition is without loss of generality in the sense that it does capture all known 
candidates for trapdoor permutations. A simple, general construction due to Yao [Y] fits RSA and 
other candidates into our scenario. An informal description of this construction follows. 

4.2 Using Yao's Construction 

Take for example the RSA function [RSA], the most popular candidate for a trapdoor permutation. 
The domain of the trapdoor permutation / when the security parameter is A; is _D = Z^, a subset 
of the k bit strings. The function / is assumed, say, hard to invert on a I — -^ fraction of D. 
First extend / to {0,1}*^ by defining 

la; otherwise. 

This new function is a permutation on {0, 1}*^ but might be easy to invert on a polynomial fraction 
of the domain. Yao's cross product construction can now be used to pump up the security. We 
define the function F on 

{0,1}'= X ... X {0,1}'= 

"^ V ' 

n 

by 

F{xi,. ..,Xn)= {f{xi), ..., f{Xn)) ] 

F is still a permutation, and Yao shows that by choosing n to be an appropriate polynomial in k, 
it can be made to satisfy (2) of definition 4.1. 

The same construction works for the trapdoor permutations of [BBS]. In general, the construc- 
tion can be applied whenever 

• the domain of / is a subset of {0, 1} of size at least a polynomial fraction of {0, 1} 

• there is a (polynomial time) algorithm to determine whether a given point lies in the domain. 

5 An Overview of the Scheme 

We present here an overview of our scheme and a sketch of the proof of security. For simplicity we 
will for the moment completely disregard efficiency. 



5.1 Background 

Lamport [La] suggested the following method for signing a single bit. The signer makes public a 
trapdoor permutation / and a pair of points Q!° and a^, and keeps secret f~^. The signature of a 
bit 5g {0,1} is then /"^(a^). 

The drawback of this method is that the number of bits that can be signed is limited to the 
number of pairs of points that are placed in the public key. Our scheme can be considered an 
extension of this type of scheme in that it removes the restriction on the number of bits that can be 
signed while using a similar basic format for signing a single bit. We do this by regenerating some 
of the public key information every time we sign a bit. [GMR] too uses the idea of regenerating 
some part of the information in the public key, but a different way of signing a single bit. 

In the scheme described below, and then in more detail in Section 6, we reverse the roles of 
functions and points in the Lamport format with respect to signing a single bit, and then sign new 
points as needed. A dual and equivalent scheme which directly uses the Lamport format but signs 
new functions instead is described briefly in Section 8. (The latter version of the scheme was also 
presented in [BeMi]). 

5.2 The Signature Scheme 

A user's public key in our scheme is of the form 

PK = (/o,o,/o,i, • • -j/fc.c/fc.ijao) 

where the fij are trapdoor permutations with security parameter k and uq is a random k bit string 
(we refer to k bit strings equivalently as points or seeds). His secret key is the trapdoor information 

f-^H^,j = o,---,k). 

Suppose the message to be signed consists of a single bit b. The signer executes the following 
two steps: 

(1) Sign b: He reveals /q~5 (cio) 

(2) Regenerate the Public Key: He picks at random a new seed cii and sends it to the receiver. 
He signs this seed by revealing for each i = 1, . . ., A;, either /~q (ciq) or f~^ (ciq) depending on 
whether the i-th bit of cii was a or a 1. 

At this point not only has the bit b been signed, but the public key has been "recreated". That 
is, another bit can now be signed in the same manner with cii playing the role of uq above. This 
process can be continued to sign a polynomial in k number of bits. The signature of a message is 
thus built on a chain of seeds a,ai,a2, ... in which each element of the chain is used to sign its 
successor. 

We note that a seed is never reused: cij-i is used to sign one message bit and Ui and then never 
touched again. 

5.3 Why is this Secure? 

Suppose JT is a successful forger (as described in Section 3.2). We derive a contradiction by showing 
that the existence of JT implies the existence of an algorithm A which inverts the underlying trapdoor 
permutations with high probability. 

Given a trapdoor permutation g with security parameter k and a k bit string z, the algorithm 
A must use the forger to find g~^(z). A's strategy will be to build a suitable public key and then 
run T and attempt to sign the messages requested by T . From T 's forged signature will come 
the information required to invert g at z. 



A creates a public key PK = (/o,07 /o,!, • • • , fk,o, fk,i, cio) in which fn^c = 9 for a randomly chosen 
n G {0, . . .,k} and c G {0, 1} and all the other functions are obtained by running the generator (so 
A knows their inverses). In the course of signing A will generate a list of random seeds of the form 
ai = gifii), except for some one (random) stage at which it will use as seed the given point z. So 
A knows how to invert all the fi^j at all the seeds with the single exception of not knowing fnliX)- 

It is possible that A will not be able to sign a message that T requests: specifically, A will not 
be able to sign a message m if computing the signature would require knowledge of g~^(z). But 
this is the only possible block in A's signing process, and since T does not know where z has been 
placed it will happen with probability at most 1/2. So A succeeds in responding to all T 's requests 
with probability > 1/2. 

By assumption T will now return the signature of a message not signed previously by A. The 
placement of the original function g in the public key, as well as the placement of z in the list of 
seeds, are unknown to T (more precisely, the probability distribution of real signatures and A's 
signatures are the same). With some sufficiently high probability, the signature of the new message 
will include the value of ^"^(2;) which A can output and halt. 

6 The Signature Scheme 

Let (G,E,I) be a trapdoor permutation generator . With some abuse of language we will often 
call X a function and identify it with E(x, •). 

6.1 Building Blocks for Signing 

The signing algorithm makes use of many structures. This section describes the basic building 
blocks that are put together to build signatures. 

Let (sj, yj) G [G'(l'^)] for i = 0, . . ., A; and j = 0, 1, and let x = (sq, Sq, . . . , a;°, xj,). Let a, a' G 
{0,1}^ 

Definition 6.1 A seed authenticator {a'; a)^ is a tuple of strings (a' , a,zi, . . . , Zk) for which 



E(x\"'^\zi) = a' , 



for all i = 1, . . . , A;. 



Intuitively, a' (which we think of as already having been authenticated) is authenticating a (with 
respect to x) via the Lamport format. For each bit {a)i of a the seed authenticator (a'; a)^ includes 
a value Zi. This value is /~q {a') if {a)i = and f~^ (a') if (a)i = 1 (where fij(-) = E(xij^ •)). 

Bits are authenticated similarly: 

Definition 6.2 A bit authenticator {a']h)^ is a tuple of strings (a',b,z) such that b G {0,1} and 

E{x^o,z) = a'. 

Notice that we have k + 1 pairs of functions Xij so that a single a' can authenticate up to A; + 1 
bits. We use the first (0-th) pair of functions to authenticate a bit and the rest to authenticate a 
A;-bit seed. 

Definition 6.3 An authenticator {a'; c)^ is either a seed authenticator or a bit authenticator. In 
the authenticator (a'; c)^ , a' is called the root of the authenticator, c is called the child of the 
authenticator, and x is called the source of the authenticator. 



Given x and a tuple purporting to be the authenticator {a'; c)^ , it is easy for anyone to check 
that it is indeed one. However given a', c, and x it is difficult to create an authenticator (a'; c)^ 
without the knowledge of ^/q, ^/q, . . . , y°, y^. 

Definition 6.4 A sequence F = (F^ , . . . , F^) of seed authenticators is a spine starting at a' if 

• a' is the root of F^ . 

• for i=f,...,p— f, the root of _F'+^ is the child of F^. 

Definition 6.5 A sequence B = (B^,...,B'^) of bit authenticators is s-attached to the spine 
F = (F^ , . . . , F^) if the root of B^ is equal to the child of i^«+*-i for i = 1, . . .,q. A sequence of 
bit authenticators B = (B^ , . . . , B'^) is attached to the spine F = (F^ , . . . , F^) if it is s-attached 
for some s. 

6.2 Generating Keys 

The key generation algorithm ICQ does the following on input f : 

(f ) Run G a total of 2 A; + 2 times on input 1 to get a list of pairs (xj^ y^) (i = 0, . . . , A;, j = 0, f ). 

(2) Select a random A;-bit seed a G {0, 1}^. 

(3) Output the public key PK = (1^^ af, a) where x = (sq, Sq, . . . , a;°, xj,). 

(4) Output the secret key SK = y = {y^, yl,...,y^, yl). 

6.3 Signatures 

Definition 6.6 A signature of a message m G Mk with respect to a public key PK = (1^^ af, a) is 
a triple (_F, i?, m) where F = (F^ , • • • , F^ ) (p > f ) is a spine and B = (B^ , • • • , B ) is a sequence 
of bit authenticators such that 

• _B is ((p - l)k + f )-attached to F. 

• F starts at a. 

• For all i = f , . . . , A; the child of B^ is (m)i. 

• The common source of all the authenticators is x. 



Figure f (right) shows a schema of a signature for a message m with respect to a public key 

(f'',;r,Q!o); here F' = {a,_i;a,)^ (i= l,...,pk) and B' = (Q!(p_i)fc+,; (m)^)^ (i = f , . . ., A;). 

6.4 The Signing Algorithm 

Let PK = (f ,af, cio) and SK = y he a pair of public and secret keys. We presume that the 
signing procedure S is initialized with the values of PK and SK and has already signed messages 
mi,...,mj_i and kept track of the signatures 5*1 = (Fi, Bi,mi), . . . , Si-i = (-Fj-i, i?8_i, mj_i) of 
these messages. We let Fq be the empty sequence. To compute a signature Si = (Fi,Bi,mi) for 
nii G Alfc, the signing procedure S does the following: 

(f ) Set I = (i — f )A;, and select k seeds Q!/+i, . . . , a/+fc G {0, 1}^ at random. 
(2) Form the seed authenticators 

F^ = (aj_i;aj). , 

for J = /+ f,...,/ + A;, and let F he the spine {F'+^ , . . . ,F'+''). 
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Figure 1: A signature corpus (left), and a signature of a message m (right) 

(3) Form the bit authenticators 

fori = l,...,k, and let B, = (B^,...,B^). 

(4) Let Fi = -Fj-i * F and output Si = (Fi, Bi, nii) as the signature of nii. 

Figure 1 (left) shows a schema of the data structure constructed by the signing procedure as 
described above. This structure will be called a signature corpus in Section 7. 

6.5 The Verification Algorithm 

Given a public key PK and something purporting to be a signature of a message m with respect 
to PK, it is easy to check whether this is indeed the case. It is easy to see that checking whether a 
given object really has the form of definition 6.6 only requires knowledge of the public key. 

7 Proof of Security 

7.1 The Signature Corpus 

Definition 7.1 Let (Fi, Bi, mi), . . . , (Fi, Bi, nii) be a sequence of the first i signatures output by 
our signing algorithm S, for some i > 0. Let F = Fi and B = Bi* ...* Bi. We call signature corpus 
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the triple C = (F, B, (mi, . . ., mi)). 

Note that a signature corpus (F,B,M) is a spine F = (F^,...,FP) to which is 1-attached the 
sequence of bit carrying items B = (B^, . . . ,Bp). 

Definition 7.2 Let Z = (F,B,M) be either a single signature or a signature corpus, relative to a 
public key PK = (1*^, s, ciq), where F = {F^ , . . .,Fp) smd B = {B^,...,Bi). Then 

(1) F(Z) denotes F, the spine of Z, and B(Z) denotes B, the sequence of bit authenticators of Z. 
The authenticators in F are called the seed authenticators of Z and the authenticators in B 
are called the bit authenticators of Z. 

(2) The set of authenticators of Z is A{Z) = {F'^, . . .,FP} U {B'^, . . .,Bi}. 

(3) The chain of seeds of Z, denoted P{Z), is the sequence of seeds which form the roots and 
children of the seed authenticators of F. That is, P{Z) = (ciq, cii, . . . , cip), where cij- is the 
child of F^ for all i = 1, . . . ,p. 

(4) The set of roots of Z, denoted R(Z), is the set of roots of the seed authenticators of Z. 

(5) The tuple M of messages signed by Z is denoted M(Z). (If Z is the signature of a single 
message m, we just let M(Z) = m). 

7.2 Extracting Information From a Forgery 

As indicated in the overview of Section 5.3, forgery must eventually be used to extract information 
about the inversion of a trapdoor function. The preliminary definitions and lemmas here are devoted 
to characterizing the structure of a forgery relative to a given corpus. 

Lemma 7.3 Let C be a signature corpus relative to a public key PK = (1*^,^,0!) and let S be a 
signature, relative to the same public key, of a message m not in M(C). Fhen there is an a' in 
P{C) such that one of the following holds: 

(1) Fhere is a pair of seed authenticators, {a';hi)^ in F(C), and {a';h2)^ in F(S), such that 
hi ^ h2. 

(2) a' is not in R{C) (i.e. a' is the child of the last authenticator in the spine) and there is a seed 
authenticator {c('',h)g in F(S). 

(3) Fhere is a pair of bit authenticators, {a'; bi)^ in B(C), and {a'; b2)^ in B(S), such that bi ^ b2. 

Proof: Suppose neither (1) nor (2) holds. Since F(S) and F(C) both start at a, F(S) must be an 
initial segment of F(C). Thus P(S) is an initial segment of P{C). Since B{S) is attached to F(S), 
the roots of all the bit authenticators of S are in P(S) hence in P{C). So if P{C) = (ciq, . . . , cipfc) 
then there is some i such that {au_i\j,j^j] (mi)j)^ G B(C) and (Q!(j_i)fc_|_j; (M(S))j)^ G B(S) for all 
J = 1, . . . , A;, where nii G J^k is the i-th message in the corpus. But M(S) is not in M(C), so there 
is some j such that (M(S))j ^ i'mi)j- Let 5i = {mi)j, 62 = iJ^iS))j, and a' = au_i\j,j^j. Then 
(ct'j ^2)^ G ^{^) ^^^ i^'j ^i)x ^ -^i^') ^^^ t^^ desired bit authenticators which give us part (3) of 
the lemma. ■ 

Let PK = (1 , af, a) be a public key, where x = (sq, Sq, . . . , a;°, x\)^ and let C be a signature corpus 
relative to PK. We introduce the notion of a pair (a', xf) being unused in C, where a' is in P{C). 
Informally, we would like to say that (Q!',a;j) is unused if the authenticators in the corpus C do 
not contain F(xj, ■)~^(a'). That is, the inversion of F(xj, ■) at a' was not required in the signing 
process. For technical reasons however, the formal definition that we use is rather to say that the 
inversion of F(x- \ ■) was required in the signing process. Boundary conditions (being at the end 
of the spine) complicate things a little further. 
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Definition 7.4 Let PK, C be as above. We say that (a',xj) is unused in C if a' is in P{C) and 
one of the following holds: 

(1) There is a seed authenticator (a'; h)^ in A{C) with (/i)j' 7^ j. 

(2) i 7^ and a' is not in R{C). (So a' is at the tail end of the spine F{C)). 

(3) i = and there is a bit authenticator (a'; 5)^ in A{C) with 5 7^ j. 



With PA', C as above, let S be the signature of a message m not in M{C), relative to PK. We 
show that this signature could not have been created without inverting E(xj, •) at a' where (a' , xj) 
was some unused pair in the corpus C . 

Lemma 7.5 There is a polynomial time algorithm which takes as input PK, C , and S as described 
above, and outputs a triple of the form (a',xj,u) such that the pair (a',xf) was unused in C and 
E(xj, u) = a' . 

Proof: Let a' be the seed of Lemma 7.3. The proof breaks down into the cases provided by 
Lemma 7.3, and we number the cases below accordingly. Note that given C and S it is possible for 
an algorithm to determine which of the cases of Lemma 7.3 applies. 

(1) Since hi ^ /i2 we can find an i such that {hi)i ^ {h2)i. Set j = (/i2)j- The authenticator 
(a'; h2)^ provides us with the value E(xj, ■)~^(a'), and by the first part of Definition 7.4 the 
pair (a',xj) is unused in C. 

(2) Set i to any value between 1 and k and set j = (h)i. The authenticator («'; /i)^ provides us 
with the value E(xj, ■)~^(a'), and the second part of Definition 7.4 says that (a', xj) is unused 
in C. 

(3) Set i = and j = 62- The authenticator {a'; 62);^ provides us with the value E(xj, ■)~^(a') and 
the last part of Definition 7.4 says that (a',xj) is unused in C. ■ 

7.3 Proof of Security 

We are now ready to prove 

Theorem 7.6 Under the assumption that {G,E,I) is a trapdoor permutation generator the above 
signature scheme is secure. 

(see Definition 3.2 for the definition of security). 

The proof of the theorem is by contradiction. Assume the existence of a polynomial Q, an infinite 
set li', and a forger J-(-) such that for all k G ii', J- is successful in forging with probability > 7^7^ 
on input a public key chosen according to the distribution induced by ICQ. Our goal is to construct 
an algorithm A(-, •, •) G PPT which on input 1 , a;, z uses JT to find E(x^ ■)~^(z). 

Since T is probabilistic polynomial time there is a polynomial Sp such that the number of 
signatures requested by T is at most Splk). We now define A to operates as follows on input 
1*^, X, z: 



(1) Let ra ^ {0, . . . , k}, c ^ {0, 1}, and i ^ {0, . . . , kSpik)}. 

(2) Run G a total of 2A; + 1 times on input 1^ to get (sj, yj) for i = 0, . . ., A;, j = 0, 1, («, j) 7^ (n^c). 

Xq, Xq, . . . , X^, Xj^). 



Let x^ = X, and let ^ - ' -^ -^ -^ "■^^ 
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(3) Pick kSpik) random k bit strings /3o, . . . ,/3f_i,/3f_|_i, . . ■^[ikSpik)^ ^^^ then create the seeds 

\ z if / = i 

1 E{x,f3i) otherwise. 

Let P be the sequence (ciq, cii, . . . , afc5j,(fc))- 

(4) Let PK= (1*^,1, cio). 

(5) Invoke T on the public key PK, and attempt to sign the requested messages in the same 
manner as the signing procedure S, but using the already generated seeds from P where S 
would pick random new seeds. The inverses of all but one of the functions in x are known, 
and, for that function a;^, the value E(x'^, ■)~^(ai) = [ii is known for all values I ^ t. If either 
(Q!f+i)„ = c, or ra = and the sequence of requested messages has c in the i-th position, it 
will not be possible to sign. Output and halt in this case. If all T 's requested messages are 
successfully signed, let C be the corpus of these signatures. 

(6) If J- does not now output a signature of a message not in M{C), output and halt. Otherwise, 
invoke the algorithm of Lemma 7.5 on input PK, C, and the signature S output by T . This 
algorithm outputs a tuple (a',xj,u). Now output u and halt. 

We consider the distribution of A's output when its inputs are chosen at random: that is, we 
consider the result of executing 

ix,y) ^ Gil''y,z^ {0,1}^^^ Ail\x,z). 

Lemma 7.7 The public key PK created in step 4 has the same distribution as that induced on 
public keys by the key generation algorithm ICQ of Section 6.2. 

Proof: The functions x^ of step 2 were obtained by running G, as was a;, so if has the right 
distribution. The /3; were chosen at random in step 3. Since E{x, •) is a permutation, the seeds 
ai are also randomly distributed. Since ciq is either one of these or the randomly chosen z, it is 
randomly distributed. So PK has the same distribution as generated by ICQ. ■ 

Lemma 7.8 

(1) The distribution of signatures generated by the conversation between T and A is, at every stage 
in the conversation, the same as the distribution that would be generated in a conversation 
between T and the legal signer S . 

(2) With probability > ^ all of T 's requests are successfully signed. 

Proof: As noted above, the public key has the right distribution. Now the steps used by A to 
sign are exactly those of the signing algorithm S, with the one exception noted in step 5 of the 
description of A. The signatures received by T up to this crucial point have the same distribution 
as the legal signer would have generated. Now at the next step A must invert either E(x'^, •) or 
_E(a;^, •) at cif . Since c was chosen at random, we can conclude that this stage is passed with 
probability ^. Moreover, this and future signatures are still with the right distribution. Both parts 
of the lemma are thus verified. ■ 

Suppose all T 's requests are signed. By the preceding lemma, the corpus generated has the same 
distribution as would have been generated with the legal signer. By assumption we know T forges 
with probability Qj-pr on this distribution. Since the signing was accomplished with probability > | 
we obtain a forgery S with probability 

1 
- 2Q{k) ■ 
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The next step is to show that the u output by A is equal to E(x, ■)~^(z) with sufficiently high 
probability. 

Note that P{C) is an initial segment of the sequence P. If the requested messages added 
together to a length of more than t bits, then z is in P{C). The signing process is accomplished 
only if inverting E{x, •) = E(x'^, •) at z is avoided, so if z is in P{C) then (s, z) is unused in C . We 
state this as a lemma. 

Lemma 7.9 If A does succeed in signing all of T 's requests, and if z is in P{C), then (z,x) is 
unused in C . 

Proof: If z is the last seed in the sequence P{C) and ra > then we have case (2) of Definition 7.4. 
Otherwise, since the signing was accomplished, either (1) or (3) must hold. ■ 

By Lemma 7.5, u = E(xj,-)~^(a') for some pair (a',xf) unused in C. We would like the pair to 
actually be (z,x), for then u = E(x, ■)~^(z). We consider the probability that u = E(x,-)~^(z) 
conditioned on the event that z is in P{C) and {z, x)\s unused in C . By the randomization of the 
n and t parameters (step 1) this probability is 

1 
- {l + k){l + kSF{k)) ■ 
We conclude that for all k G K, 

1 



P E{x, u) = z : {x, y) ^ G{r)] z ^ {0, l}''; u ^ A{1\ x,z)\ > 



2Q(k)(l + k)(l + kSF(kj) ' 
contradicting the fact that G is a trapdoor permutation generator. This completes the proof of 
Theorem 7.6. 

8 The Dual Scheme 

An interesting feature of our scheme is a "duality" between the roles of functions and seeds. The 
roles as described in the scheme of the previous sections can be interchanged to yield an equivalent 
scheme which keeps a fixed number of seeds in the public key and signs new functions as needed. 

The duality is real enough to make the structure and description of the schemes, as well as the 
proof of security, entirely symmetric, and the ability to sign new functions rather than new seeds 
is unusual enough to merit a little description. In fact, it is this dual scheme that was presented in 
detail in [BeMi], and the interested reader can obtain details from there. 

We point out, though, that the scheme of Section 6 is the far more natural one for implementa- 
tion. In practice it is of course easier to generate a random element of {0, 1}*^ (which just consists 
of k coin fiips) than it is to run a possibly quite complex generator to get a trapdoor function (a 
typical generator is attempting to find certified primes of some length and so forth, a comparatively 
expensive operation). The dual scheme is thus likely to be a good deal less efficient. 

8.1 Description 

We outline the structure of the dual scheme. The public and secret keys are of the form 

PK = {l'',xo,a) 
SK = yo 

where a = (ciq, ciq, . . . , Q!°, a\) is a vector of 2 A; + 2 randomly chosen k bit strings, and (sq, yo) G 
[G{1% 
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Each signing step consists of signing a bit of the message and a new k bit trapdoor permutation 
xi to take the place of the trapdoor permutation a;;_i of the previous stage (xq is used in the first 
stage). The k + 1 bits consisting of the message bit and the k bits of xi are signed by sending either 
I(yi,af) or I{yi,a\) depending on whether the i-th bit was a or a 1. Note that the signer gets 
new trapdoor permutations by running the generator; he thus knows and preserves the inverses 
while signing and revealing the functions themselves. A total of 2A; + 2 seeds stay fixed in the 
public key, while random trapdoor permutations are generated and signed as needed to propagate 
the signatures; the roles of points and functions relative to the original scheme (Section 6) are 
effectively interchanged. 

To illustrate in a little more detail, we would have what we could call function authenticators 

{^X ^ X J ^ — (^X,X,^X?***? '^k ) 

such that E(x'^Zi) = cij- , where x^x' G [^(l )]; bit authenticators would now be of the form 

{x';b)^ = {x',b,z) 

with E(x'^ z) = ciq. Spines would now consist of sequences of function authenticators, and so forth. 
The entire scheme of Section 6 would carry over with essentially just a change of terminology. 

8.2 Proof of Security for the Dual 

It is easy to see that the proof of Theorem 7.6 for the dual is just symmetric. To illustrate a little: 
A would create the public key by placing the given point z in a, and making the rest of the points 
of a of the form E(x,(3j). A would sign new functions obtained by running G except at some one 
random stage when it would use x. It could then simulate the signing and get E(x, ■)~^(z) from 
the forger in the same manner as before. 

9 Using Tree Structures 

A key tool in improving the efficiency of our scheme and in eventually getting a memoryless version 
is the use of tree structures in the style of [GMR]. We describe in this section the nature of the 
basic tree based scheme. 

Henceforth the scheme of Section 6 will be referred to as the linear scheme. 

9.1 Structures for the Tree Scheme 

In the tree scheme, the public and secret keys are of the form 

PK = (l'',x,xo,xi,ax,(3) 
SK = {y,yo,yi), 
where 

■^0 — \-^0,1t^0,1t^0,2t^0,2t ■ ■ ■ T^O,kT^O,k) 

Xl — l,-il,l, -^1,1, -^1,25 -^1,25 • • • 5 -^Ijfc' •''Ijfc/ 

are trapdoor permutations, y, yo, yi are their respective inverses, a\ is a k bit seed, and the 
parameter /3 defines a signature bound: Sb = 2^^ is a bound on the total number of signatures that 
can be signed with respect to the public key. 

While signing, a binary tree of seeds is created, with a parent authenticating two children. The 
new children seeds are signed in the same manner as the previous scheme, using xq as the source 
to sign the left child, and xi as the source for the right child. 
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Seed authenticators thus come in two varieties, a left and a right: 

{a';a)g^ = (a',a,l, zi, . . . , Zk) 

where a, a' G {0, 1} and E(x-"'\zi) = a' for all i = 1, . . ., A;. Bit authenticators are with respect 
to x: 

{a';b)^ = (a',a,z) 

with E(x^^z) = a'. The terminology of roots, children, and sources of authenticators (Defini- 
tion 6.3), as well as that of spines and attaching (Definitions 6.4, 6.5) remains the same. We can 
then define a signature. 

Definition 9.1 A sig^na^wre of a message m ^ A4k with respect to a public key PK = (1*^, af, afo, afi, Q!a,/3) 
is a triple {F,B,m) where F = (F^ , . . . , Ff^ , Ff^+^ , . . . , Ff^+'') is a spine and B = (B^ , . . . ,B'') is a 
sequence of bit authenticators such that 

• B is {l3 + l)-attached to F. 

• F starts at a\. 

• For all i = 1, . . . , A; the child of B^ is (m)i and the source of B^ is x. 

• For all i = 1, . . . , /3 the source of F^ is either xq or xi. 

• For all i = /3 + 1, . . . , /3 + A; the source of F' is xq. 

9.2 Signing 

We now describe the signing procedure. Let 

PK = (l'',x,xo,xi,ax,(3) 
SK = {y,yo,yi), 
be a pair of public and secret keys. We presume that the signing procedure S is initialized with 
the values of PK and SK and has already signed messages mo, . . . , ?nj_i and kept track of the 
signatures 5*0 = (-fo, -Bo, ''^o), • • • , Si-i = (-Fi-i, -Bi-i, rrii-i) of these messages. 

The integer i (0 < i < 2^) will be represented here as a binary string of exactly /3 bits; that is, 
the representation of i is i in binary padded with leading zeroes to bring the total length to exactly 
(3. With the notation of Section 2.1, (i)i,„t then denotes the first t bits of this string. 

To compute a signature Si = (Fi^ Bi^mi) for mi, where i < 2^^ and rrii G Mk^ ^ now performs 
the following steps: 



^1) If i = then let s = X. Otherwise, let s be the longest common prefix of i and i — 1. 



(2) Select at random /3 — |s| seeds Q!(j\ ui.i? • • •7Ci(j)i g from {0, 1} , and form the seed authen- 



ticators 

for t = \s\ + 1, . . . , (3. 

(3) Let F be the spine (F^i, F^i ^ . . . , F^i /s) (thus F consists of the first |s| seed authenti- 
cators from -Fj-i (if i > 0) followed by the /3 — |s| authenticators created in step 2). 

(4) Now form a signature of nii in the style of the linear scheme. That is, select k random seeds 

7i , . . . , 7fc. Let 7o = "(.j^ ^ , and let 

B^ = {-/fAmi)j)^ 
for J = 1,...,A;. 
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(5) Let F, = F * {H^, . . . , H''), B, = {B^ , . . . , B''), and output Si = {F„ B,, nii) as the signature 
of nii. 

In the course of signing, S is thus building a binary tree of height (3 whose nodes are labeled 
by seeds. The root is labeled with a\, and the left and right children of a node with label a^ are 
labeled a^o and a^i respectively. Seed authenticators link a parent to its children: 

F'^ = (a.;a.i)^^ . 

The signature of the i-th message consists of the seed authenticators which form the path to the 
i-th leaf of this tree (numbering the leaves left to right, beginning at O'^), together with a further 
linear chain in the style of the previous scheme. 

9.3 Security 

The argument to prove 

Theorem 9.2 Under the assumption that (G,E,I) is a trapdoor permutation generator the above 
tree based signature scheme is secure. 

is based on ideas entirely similar to those used in the proof of Theorem 7.6, and is complicated 
more by cumbersome notation than anything else. We thus omit it here. 

9.4 Advantages of the Tree Scheme 

The tree scheme not only produces more compact signatures, but has the advantage that the size 
of a signature is independent of the sizes of previous signatures. In order to discuss signature 
sizes more precisely, it is convenient to talk in terms of the length of a signature, a quantity easily 
visualized. 

Definition 9.3 The length of a signature S = (F,B,m) (in either the tree scheme or the linear 
scheme), denoted length(S), is the number of seed authenticators in F. 

The size of a signature S (in bits) is then 0(k^ ■ length(Sj), in either scheme. 

For the tree scheme with signature bound Sb , the signature of a message m is always of length 
\m\ + logSBik) which is A; + logSBik) for m G J^k- In the linear scheme, the signature of the 
i-th message nii reaches a length of J2)=i l"^il = ^^ ^-^d thus if Sb messages were to be signed the 
signature lengths reach kSB{k). 

10 Variations and Improvements 

10.1 Arbitrary Length Messages 

The assumption that messages are always of length equal to the security parameter was made 
to simplify the proof, and can easily be removed. Messages of any length bounded by a fixed 
polynomial in k are allowed, as long as they come from a subsequence free set] 

Definition 10.1 A set S of binary strings is subsequence free if any sequence si, . . . , Sj- of strings 
from S has the property that s G 5* is a substring of si . . .Si if and only if s = Sj for some j. 
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Note that if a set S is subsequence free then it is automatically prefix free, but not vice- versa. 

It is easy to encode arbitrary non-empty strings so that the resulting set is subsequence free. 
For example, encode a string by replacing each by 00, each 1 by 11, and finally adding 01 to the 
beginning and end. The new string is about twice as long as the old. This is much better than 
encoding into strings of length k (at least for k > 3). 

10.2 A Memoryless Version 

[GMR] describe a method to make their scheme memoryless; they attribute the basic idea to Levin 
and improvements to [Go]. Another memoryless version of the scheme is due to [Gu]. We note here 
that the former set of techniques can be applied to make our scheme memoryless as well. The basic 
tool is the use of pseudo-random functions [GGM], whose existence is implied by our assumptions. 
A function from a pseudo-random collection is put in the secret key and used to compute the seeds 
in the tree ([GMR] call them roots) in a specific manner. Further, a random branch of the tree is 
chosen to sign the next message rather than using the branches in order from left to right. 
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